Extracting a 3DES key from an IBM 4758

We made the contents of this set of web pages public late in the
evening of November 8th 2001. This page was added thereafter to document
the reactions of industry and academia; and to record the quite extensive
coverage our work received in the media.

Some reactions

The Banks

APACS (the UK Banks trade body) said the IBM 4758 was no longer in
use:

"This is a fascinating piece of work, but where it falls
down is that the banks have moved on and nowadays PINs are produced
randomly and not in relation to an account number".

We're very puzzled by the "no longer in use" remark,
since this is usually viewed as the state-of-the-art system. When
Newsnight talked to a number of high street banks, several said they
were not using this kit and others refused to comment. We do note the
remarks about PIN codes; but of course our attack has the potential to
steal other keys from the CCA software which might well include keys
used to encrypt data transmission.

IBM

IBM have now (Nov 16th on the web, but the gist was given to the media
on Nov 8th) issued a lengthy
statement which comes in several parts. The first part asserts that
the attack would not be possible in practice:

"The method of obtaining DES keys is based on an assumption
that a trusted insider would be granted access to run programs of his
choosing and copy information from the system. Organizations running
systems with the sensitive keys assumed in the method are advised by
industry standard practices to take steps which would thwart the
described method. Further, IBM has indicated in its publications that
users must take precautions when using services central to the method.
IBM believes that the method would be infeasible in realistic system
implementations."

ie: the attack works and the multiple locks on the
cryptoprocessor can be circumvented. However, IBM assume that there will
be multiple locks on the doors to the room it is kept in.

ie: the attack does not compromise the 4758 per se, but
the code running on it. We agree.

And in the final part they recommend disabling the
Key-Part-Import service and using public-key techniques to
introduce clear keys. They also note that users of the CCA software on
other platforms (such as the IBM eServer zSeries, iSeries, pSeries and
xSeries) should also be disabling this service.

Version 2.41 of the CCA was made available on 5th February 2002
from IBM's website at
http://www-3.ibm.com/security/cryptocards/html/release241.shtml
. Version 2.41 includes fixes specifically
designed to prevent the attack described on this website, and some of
the related weaknesses described in Mike Bond's paper "Attacks on
Cryptoprocessor Transaction Sets".

The major modification to the transaction set is the separation of
duty between confidentiality and integrity assurance for clear loading
of symmetric keys. The old modes of operation for Key_Part_Import were
FIRST, MIDDLE, and LAST. New modes of operation ADD and COMPLETE have
been created. The party responsible for testing the integrity of a key
(using Key_Test) can now use the COMPLETE mode, which does not permit
modification of the key being tested.

Several changes have been made to the semantics of Key_Part_Import, and
the symmetric key inport and export commands to prevent type changes
between replicate and non-replicate keys during import, and to prevent
export of non-replicate keys under replicate keys.

Extra access control points have been created which disable the fixes in
order to permit upgrade to version 2.41 for reasons other than security.

The CCA is a much safer product now that no single individual can damage
the integrity of the key material. The attack described on this website was
based purely on specification level faults. Note that some of the
security-related fixes in release 2.41 relate to implementation
faults; these have no direct connection with the attacks described on
this site, but presumably came to light as a consequence of the closer
examination of the CCA code that followed the publicity.

The 4758 team

The people who designed and built the 4758 hardware have not been
terribly amused by our work, or at least the way in which it has ended up
being reported. Of course we didn't crack their part of the system at all,
and we remain impressed by the tamper-resistance of the hardware and
firmware. What failed was the CCA financial software, which predates the
4758, though it is provided for free along with it. What's also failed, in
our view, is the way in which the lack of validation for CCA is hidden by
the marketing spin for the FIPS validation of the hardware and firmware.
We think you have to be a very knowledgable purchaser to understand what
you have and have not bought.

The security community

How our work appears in the media

The extremely helpful people in the Cambridge University Press Office
helped us create this press
release. They also mentioned the story to BBC2's Newsnight programme
and their science editor Susan Watts came to Cambridge to film Mike Bond
talking about what we had done. The film was broadcast on Thursday 8th
November at about 22:50 (it was to have been the first story, but the
Scottish First Minister decided to resign, which was clearly a more
important story. Richard Clayton was interviewed from Brussels (where he
happened to be working that week). Anyone who watched has now joined the
rare group of people who have seen him wearing a tie.

Not to be outdone by Richard, Mike appeared as the lead 6pm news story
on local television, was interviewed live on national radio to be heard by
five million people (Johnny Walker show, Radio 2), appeared on various
local radio stations in the UK and even made it onto Radio CNET which is
broadcast to listeners in Silicon Valley and across the world on the
Internet.